Authentication providers and single sign-on (SSO)
On this page
StoreConnect supports a number of login methods for store users. By default a username+password login is provided, to provide alternative login options you will need to create an Authentication Provider.
Supported authentication options:
- StoreConnect
- Azure Active Directory (AD) B2C
- Experience Cloud
- Microsoft Entra ID
Configure authentication providers
Authentication Providers can be created from the store’s Authentication Providers related list.
StoreConnect authentication (username + password)
If no active Authentication Providers exist for a store, then a username/password login will be available by default.
If you wish to allow multiple login options and still provide username/password login, you will need to create a StoreConnect Authentication Provider for the store. Other than Provider and Active, all fields can be left blank.
| StoreConnect Field | Local Provider Value |
|---|---|
| Provider | StoreConnect |
| Authorised Domains | |
| Client Id | |
| Client Secret | |
| Provider URL | |
| Reset Password URL |
Azure Active Directory B2C authentication
| StoreConnect Field | Local Provider Value |
|---|---|
| Provider | Azure |
| Authorised Domains | |
| Client Id | Azure Client ID |
| Client Secret | |
| Provider URL | Azure Base URL |
| Reset Password URL |
The Base URL here is the URL of your Azure login page, it may be similar to: https://<tenant>.b2clogin.com/<tenant>.onmicrosoft.com/B2C_1A_signup_signin
To test if your URL is correct you should be able to add /discovery/keys to the end of the URL and visit it in a browser. If the URL is correct you should see a JSON response similar to:
```json
{ “keys”: [ {“kid”:”EU323HFCv3ZRmOgTOGLXcFsjlnq0RzRhzKsSGFXLDyk3”,”use”:”sig”,”kty”:”RSA”,”e”:”AQAB”,”n”:”…”} ] } ```
Callback URL
In your Active Directory configuration you will need to add the callback URL to the list of permitted URLs:
https://your-store-domain/logins/auth/azure/callback
Reset Password URL
Due to security limitations, StoreConnect is not able to initiate a password reset for an Active Directory account. To support password reset, the ‘reset password’ flow on the store will redirect the user to the Reset Password URL if it is present. If left blank, the store will not show a ‘reset password’ link.
Azure AD payload mapping
When StoreConnect receives a token from Azure AD, it maps the payload fields to Contact fields as follows:
| Azure AD payload field | Salesforce Contact field |
|---|---|
sub |
sso_uid |
| (StoreConnect AuthenticationProvider sfid) | sso_provider_id |
email || signInName || signInNames.emailAddress || upn || preferred_username |
email, username |
given_name |
first_name |
family_name |
last_name |
phone_number || Phone Number |
phone |
name |
Account name |
|| indicates priority order — the first present value is used.
Google authentication
| StoreConnect Field | Local Provider Value |
|---|---|
| Provider | |
| Authorised Domains | |
| Client Id | Google OAuth Client ID |
| Client Secret | Google OAuth Client Secret |
| Provider URL | |
| Reset Password URL |
To generate your credentials, follow these instructions from Google: OAuth Access
Reset Password URL
Due to security limitations, StoreConnect is not able to initiate a password reset for a Google account. To support password reset, the ‘reset password’ flow on the store will redirect the user to the Reset Password URL if it is present. If left blank, the store will not show a ‘reset password’ link. For Google, use https://support.google.com/mail/answer/41078 as the password reset URL to direct users to Google’s own support page.
Microsoft Entra ID authentication
Microsoft Entra ID (formerly Azure Active Directory) is Microsoft’s workforce identity service. Use this provider when your customers or staff authenticate with Microsoft 365 / work accounts.
:::note This provider is for standard Microsoft Entra ID (workforce edition). If you are using Azure Active Directory B2C — the consumer-facing identity service with custom sign-up/sign-in policies — use the Azure Active Directory B2C authentication provider instead. :::
| StoreConnect Field | Value |
|---|---|
| Provider | Microsoft Entra ID |
| Authorised Domains | |
| Client Id | Azure Application (client) ID |
| Client Secret | Azure client secret value |
| Provider URL | https://login.microsoftonline.com/<tenant-id> |
| Reset Password URL |
Replace <tenant-id> with your Azure tenant ID — a UUID visible in the Azure portal under Microsoft Entra ID → Overview.
To verify that the Provider URL is correct, append /discovery/keys?appid=<your-client-id> to the URL and open it in a browser. You should see a JSON response listing signing keys:
json
{ "keys": [ {"kid":"...","use":"sig","kty":"RSA","e":"AQAB","n":"..."} ] }
Registering the app in Azure
In the Azure portal, register a new app under Microsoft Entra ID, with the following configured:
- Set the redirect URI (platform: Web) to the callback URL below.
- Generate a client secret under Certificates & secrets, and copy the secret value (not the secret ID) into the Client Secret field.
- Under API permissions, confirm that
openidandemaildelegated permissions are granted.
Callback URL
Add the following redirect URI to your Azure app registration:
https://your-store-domain/logins/auth/entra_id/callback
Reset Password URL
StoreConnect cannot initiate a password reset for an Entra ID account. If you populate the Reset Password URL field, the store’s reset password flow redirects users to that URL instead. If left blank, no reset password link appears. For Microsoft accounts you can use your organization’s self-service password reset URL, or leave it blank if managed by your IT team.
Entra ID payload mapping
Microsoft Entra ID uses the same token claim mapping as Azure AD B2C. See Azure AD payload mapping.
Details on a new Contact
When a new website account is created using an SSO provider, these values are saved on the new Contact record:
| SSO Provider field | Salesforce Contact field |
|---|---|
| First Name | First Name |
| Last Name | Last Name |
| Username | |
| Phone | Phone |
How StoreConnect links SSO identities to Contacts
When a customer authenticates via SSO, StoreConnect links their identity provider account to a Salesforce Contact record. Understanding this flow helps with troubleshooting linking issues and designing the right login UX for your store.
The redirect flow
- Customer clicks the login button on the store.
- StoreConnect redirects to the identity provider (e.g. Azure AD), passing a
provider_idthat identifies which Authentication Provider record to use. - The customer authenticates with the identity provider.
- The identity provider redirects back to StoreConnect’s callback URL.
- StoreConnect validates the identity and links it to a Contact.
What StoreConnect captures: email, first name, last name, phone, and the provider’s unique user ID. These are stored on the Contact and Login records.
What StoreConnect cannot capture: if a customer creates an identity provider account independently — outside of the StoreConnect login redirect flow — StoreConnect has no way to link it to a Contact. The link is only established when the customer authenticates through StoreConnect’s redirect flow.
How StoreConnect matches returning users to Contacts
When a customer returns through the SSO redirect, StoreConnect attempts to match them to an existing Contact in this order:
- Post-checkout session — if the customer just completed checkout in the same browser session, StoreConnect uses the Contact created at checkout directly. Most reliable.
- Previously linked SSO identity — if the customer has logged in via SSO before, StoreConnect matches by their stored provider user ID.
- Email address — StoreConnect performs a case-insensitive email match against existing Contacts, returning the most recently created match.
If no match is found, StoreConnect creates a new Contact.
Post-checkout SSO account creation
A common scenario in B2B stores: a customer completes checkout as a guest (creating a Contact in Salesforce) but hasn’t yet created or linked their SSO account. When they later try to log in, StoreConnect needs to link their SSO identity to the Contact created at checkout.
There are two approaches:
Option 1: Auto-redirect after checkout (recommended)
Redirect customers to StoreConnect’s SSO login URL immediately after checkout completes. Because the customer is still in the same browser session, StoreConnect links their SSO identity directly to the Contact just created — no ambiguity.
The redirect URL is:
/auth/azure?provider_id=<AUTHENTICATION_PROVIDER_SFID>
Where AUTHENTICATION_PROVIDER_SFID is the Salesforce ID of the store’s Authentication Provider record. This initiates the full Azure → StoreConnect redirect flow.
Implement this by redirecting to this URL from the checkout confirmation page — either automatically or via a prominent “Set up your account” button.
Option 2: SSO link in the order confirmation email
If the customer has already left the checkout session, include an SSO login link in their order confirmation email. When clicked, StoreConnect initiates the redirect flow, the customer signs in (or signs up) with Azure, and StoreConnect matches them to their existing Contact by email address.
The link must point to StoreConnect’s login URL — not directly to Azure — so StoreConnect can initiate the flow and capture the identity:
https://your-store-domain/auth/azure?provider_id=<AUTHENTICATION_PROVIDER_SFID>
This link is the same for all customers. No per-user token is needed. StoreConnect matches by the email address returned from Azure against the Contact created at checkout.
Note: email matching returns the most recently created Contact with that email address. If a customer has duplicate Contact records in Salesforce, StoreConnect may link to the wrong one. Resolve duplicate Contacts before relying on this approach.
Logout behavior
When a customer clicks logout, StoreConnect always clears its own session. Whether the identity provider (IdP) session is also terminated depends on the provider configured for your store.
Providers where the IdP session is also ended
SingleKey ID — StoreConnect redirects to the SingleKey end-session endpoint on logout, which terminates the customer’s SingleKey session. The customer must authenticate again on their next login.
Providers where only the StoreConnect session is cleared
For Azure AD B2C, Microsoft Entra ID, Google, and generic OpenID providers, StoreConnect clears its own session but does not contact the identity provider’s end-session endpoint.
What this means for Azure AD B2C and Entra ID: the customer’s Azure session cookie remains active in their browser after they log out of StoreConnect. If they click login again, Azure may silently re-authenticate them without prompting for credentials — it can appear as though logout had no effect.
If your store requires a full sign-out from Microsoft on logout — for example, on shared or public devices — inform customers they should also sign out from their Microsoft account directly, or close their browser entirely.
Experience Cloud
To allow login from Experience Cloud requires more configuration in Salesforce than other Authentication Providers, please follow the dedicated Experience Cloud login as SSO guide.
Was this article helpful?
Thanks for your feedback! It helps us improve our docs.